[ECP-9279] Bancontact mobile doesn't work

[wannevancamp]

Describe the bug

The payment method Bancontact mobile gives the following error after you pay the order.

Uncaught PHP Exception Shopware\Core\Checkout\Payment\Exception\TokenInvalidatedException: "The provided token eyJ.... is invalidated and the payment could not be processed." at /var/web/vd25152/releases/20240427.2236/vendor/shopware/core/Checkout/Payment/Cart/Token/JWTFactoryV2.php line 80

Versions
Shopware version: all
Plugin version: all

To Reproduce
Steps to reproduce the behavior:

1. On your mobile phone pay an order with Bancontact mobile
2. You get redirected to the Bancontact mobile app
3. Pay the order
4. You are redirected to Shopware
5. Result: an error is shown: TokenInvalidatedException

Expected behavior
When returning back to the shop after a successful payment the order finish page must be shown.

[candemiralp]

Hello @wannevancamp,

Thank you for creating this issue with the details. We've created an internal ticket to handle this case and our support team is also investigating the issue as you have an active support ticket.

You will be informed when we conclude the investigation.

Best regards,
Can

[wannevancamp]

@candemiralp, meanwhile I have some more information about this issue.

When you place an order on mobile, you are redirected to the mobile app. In the background, a popup in the checkout remains open and continues to poll for the payment status. Once the payment response isFinal, the popup closes, and you are redirected to the return URL. Simultaneously, you may be redirected to the return URL from the payment app. The return URL can only be accessed once with the same token. If you visit the return URL (/payment/finalize-transaction) a second time with the same token, an error, TokenInvalidatedException, is thrown.

Solution:

• On mobile, the popup should not trigger a redirect.

Update from Shopware:

[candemiralp]

Hello @wannevancamp,

Thank you for this detailed explanation. It shed lots of light on to the investigation and I've added those points to the ticket. You will be updated soon.

Best Regards,
Can

[candemiralp]

Hello @wannevancamp,

We've been working on this issue and realised couple of points after reproducing the issue with the steps you've described.

The proposed solution On mobile, the popup should not trigger a redirect. can't be implemented as it will fail if the mobile device doesn't have an application and the payment is completed with another mobile device (Tablet for shopping + phone for scanning QR with Payconiq app).

Return to Shop button is only shown on the Payconiq application if the payment is opened in the application directly but not with scanning the QR code. Since, there won't be a Return to Store button on the application on QR code scanning scenario, the shopper will be stuck on the checkout page with an open pop-up.

We're still investigating some alternatives. Mainly, storing the token at somewhere else and creating a proxy controller (which will be used as returnUrl) in the plugin to finalise the payment. So that, multiple attempts to the same URL can be handled elegantly. We don't know the consequences on headless integration and the possibility of releasing it as a non-breaking change, yet.

Please feel free to share your opinion and I'll also update you once we have a concrete solution.

Best regards,
Can

[wannevancamp]

Hi @candemiralp, using a proxy controller (own endpoint) seems a valid solution.
You're right, on mobile the redirect flow still needs to exist in case the payment is completed with another mobile device.

[candemiralp]

Hello @wannevancamp,

Thank you for your input. I will keep you updated during the investigation period.

Best regards,
Can

[wannevancamp]

@candemiralp, I saw your draft PR #535. Any update on this one?

[candemiralp]

Hello @wannevancamp,

Using a proxy controller didn't solve the issue and introduced more problems as the token is validated in many places. Besides that, by-passing the token validation will make the success page accessible every time even with an invalidated token. Considering the success page contains PII data (order details, personal details and shipping information), we understand Shopware's concern about introducing a token.

Our next step is discussing Adyen's Bancontact implementation in the backend to see if there is a place for the improvement. We will try to find a solution to the root cause of the issue.

We will keep you updated as we finalised the discussion internally.

Best Regards,
Can